This patch adds CPE ID information for a significant number of
packages.
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
From NEWS:
* Changes in Wget 1.20.2
** Fixed a buffer overflow vulnerability
For more details, see the announcement:
https://lists.gnu.org/archive/html/info-gnu/2019-04/msg00000.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Default to pcre2 to mimic upstream configure.ac.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security issues:
CVE-2017-13089: The http.c:skip_short_body() function is called in some
circumstances, such as when processing redirects. When the response is sent
chunked, the chunk parser uses strtol() to read each chunk's length, but
doesn't check that the chunk length is a non-negative number. The code then
tries to skip the chunk in pieces of 512 bytes by using the MIN() macro, but
ends up passing the negative chunk length to connect.c:fd_read(). As
fd_read() takes an int argument, the high 32 bits of the chunk length are
discarded, leaving fd_read() with a completely attacker controlled length
argument.
CVE-2017-13090: The retr.c:fd_read_body() function is called when processing
OK responses. When the response is sent chunked, the chunk parser uses
strtol() to read each chunk's length, but doesn't check that the chunk
length is a non-negative number. The code then tries to read the chunk in
pieces of 8192 bytes by using the MIN() macro, but ends up passing the
negative chunk length to retr.c:fd_read(). As fd_read() takes an int
argument, the high 32 bits of the chunk length are discarded, leaving
fd_read() with a completely attacker controlled length argument. The
attacker can corrupt malloc metadata after the allocated buffer.
Drop now upstreamed patch and change to .tar.lz as .tar.xz is no longer
available.
Also add a hash for the license file while we're at it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
We want to use SPDX identifier for license string as much as possible.
SPDX short identifier for GPLv3/GPLv3+ is GPL-3.0/GPL-3.0+.
This change is done using following command.
find . -name "*.mk" | xargs sed -ri '/LICENSE( )?[\+:]?=/s/\<GPLv3\>/GPL-3.0/g'
Signed-off-by: Rahul Bedarkar <rahulbedarkar89@gmail.com>
Acked-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Due to the patches we have on wget 1.19, we need to
autoreconf. Unfortunately, when the autoreconfiguration process occurs
with host-gettext already built and installed, the build of wget fails
with a fairly weird error:
In file included from str-two-way.h:44:0,
from c-strcasestr.c:37:
./stdint.h:89:5: error: #if with no expression
#if
As explained in http://git.net/ml/bug-gnulib-gnu/2017-01/msg00067.html
and the links pointed by this page, this is due to an incompatibility
between the newer version of gnulib used in wget, and an older .m4 file
in gettext.
In the context of Buildroot, the easiest way to avoid the issue is to
not autoreconf wget. The wget project has conveniently released a 1.19.1
release, which contains our two patches, plus just one small feature
addition. It is therefore reasonable to apply this as a solution to this
build issue.
Fixes:
http://autobuild.buildroot.net/results/b62ac6fd5ce36453935c309e112262467cf0e3bf/
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
When building wget with openssl in static libs configuration, wget
build system fails detect openssl because it doesn't specify LD flags
for private libs used by openssl. This specifically happens when we
pass --with-libssl-prefix to configure which tries to find ssl using
custom flags. If we don't specify --with-libssl-prefix, it relies on
pkg-config files to detect ssl and it's LD flags which helps with static
linking.
This commit removes --with-libssl-prefix conf opts. Since this case is
similar to gnutls, we remove same conf opts for gnutls as well.
wget can be built with either gnutls or openssl crypto libraries, so
separate optional support for both is not required. This commit also
does minor optimization by checking for either gnutls or openssl while
at it.
Fixes:
http://autobuild.buildroot.net/results/c6a/c6abdff37b86471cf8b0ceffeff5472042923de0/
Signed-off-by: Rahul Bedarkar <rahul.bedarkar@imgtec.com>
Reviewed-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
CVE-2016-4971 - By default, on server redirects to a FTP resource, use
the original URL to get the local file name.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This commit doesn't touch infra packages.
Signed-off-by: Jerzy Grzegorek <jerzy.grzegorek@trzebnica.net>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes a regression of quiet mode not being quiet.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
- Bump version to 1.16.2
- Update the hash file
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Uses pkgconfig since 1.16.1+ to find libraries.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
To be consistent with the recent change of FOO_MAKE_OPT into FOO_MAKE_OPTS,
make the same change for FOO_CONF_OPT.
Sed command used:
find * -type f | xargs sed -i 's#_CONF_OPT\>#&S#g'
Signed-off-by: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Instead of using a custom hook to gettextize wget, use the new
gettextize infra we just added in the previous patch.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Gustavo Zacarias <gustavo@zacarias.com.ar>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Cc: Baruch Siach <baruch@tkos.co.il>
Acked-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Currently, the gettextization of wget works by chance:
- host-gettext is added as a dependency to wget;
- gettextize is run as a post-patch hook.
But the dependencies are only guaranteed to be built and installed
for the configure step, not the patch step. Because post-patch hooks
are part of the patch step, we have no guarantee that the dependency
to host-gettext is done by the time we gettextize wget.
This happens to work by chance, since wget sorts alphabetically after
gettext, so we indeed have host-gettext built and installed by the
time we need to gettextize wget.
This is prone to fail in the parallel build case, since we can no
longer rely on alphabetical order in that case.
Instead, run gettextize in PRE_CONFIGURE_HOOKS to avoid the race.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
[baruch: make the fix independent from the gettextize infra]
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fix failed AUTORECONF under certain circumstances where gettext infra is
much newer (>= 0.18) than what wget source expects (~ 0.17).
Do this by gettextizing the source before AUTORECONFing.
If this becomes common we may need a FOO_GETTEXTIZE generic option, but
for now this seems to be the only package that needs so. Fixes:
http://autobuild.buildroot.net/results/c0f/c0f7c801f61fdc310cde64342060b00a70155431/
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Tested-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Same fix as a728e2fe3 (coreutils: fix build against uclibc snapshot).
uClibc development version adds support for POSIX spawn routines. However,
unlike glibc these routines are in librt. This breaks gnulib autoconf
detection. Teach gnulib autoconf to look for POSIX spawn in librt.
Fixes:
http://autobuild.buildroot.net/results/bc20297dad0f0e9b7fa79fe835b9754fbce6dfdf/
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
[Peter: leave change xz tarball format to not end up with circular deps]
Signed-off-by: Jerzy Grzegorek <jerzy.grzegorek@trzebnica.net>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
* Bump wget to version 1.13.4
* Enable wget again on !wchar toolchains
* Enable support for gnutls
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
Thanks to the pkgparentdir and pkgname functions, we can rewrite the
AUTOTARGETS macro in a way that avoids the need for each package to
repeat its name and the directory in which it is present.
[Peter: pkgdir->pkgparentdir]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
Makefile.autotools.in automatically adds these to the configure invocation,
so there's no need to explicitly list them.
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
We have been passing -q to ./configure when using 'make -s' for
packages using Makefile.autotools.in for some time. Do the same
for packages using autotools, but not using the
Makefile.autotools.in infrastructure, taking care to not do it
for packages with hand written configure scripts.
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
A C library will have been built by the toolchain makefiles, so there is no
need for packages to explicitly depend on uclibc.
Signed-off-by: Will Newton <will.newton@gmail.com>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>